222w ago - Update: Estx has now released both a P3KG (Linux) and P3KGWN (Windows) PS3 Dongle ID Key Generator for those interested, winocm has started a PlayStation 3 Dongle Key Generator GIT (compiled binaries with source HERE), and Waninkoko has also shared a PS3 USB Dongle Key Generator JavaScript Version.

Today Graf_Chokolo announced that he has successfully exploited the PS3 hypervisor 3.15 through GameOS and dumped it, and plans to do the same for version 3.41 along with sharing more details soon.

Here is what he had to say on the matter, to quote: "I have just exploited and dumped HV 3.15 from GameOS

I used memory glitching like Geohot to get dangling HTAB entry but 2nd and 3rd stages are quite different. I used my knowledge about HV internals and created a simpler exploit for stage2 and stage3.

I didn’t use second VAS like Geohot. I used lv1_undocumented_function_114 and lv1_undocumented_function_115 to exploit HV after i got a dangling HTAB entry

Now we don't need Linux to exploit and dump HV. Furthermore, HV dump from GameOS is a lot better because when GameOS is running more features are activated in HV So, i can reverse now more C++ objects and understand better how HV works

I will make everything public very soon and i plan to dump HV 3.41 in the next days

Finally i will get access to SYSCON, EPROM, ENCDEC device and more

And now i dumped the real USB Dongle Master Key guys Noone needs it now but here it is. I tested it with HMAC SHA1 and dongle key 0xAAAA and got the same dongle key that was reversed by KaKaRoTo

Just as i said previously, use USB Dongle Authenticator, then dump HV and the decrypted USB Dongle Master Key will be in HV dump I extracted this key from my HV dump after i used USB Dongle Authenticator on GameOS. Then i rebooted GameOS but not HV and the key was still in HV and still decrypted

You still need to do memory glitching like it did Geohot. I used sx28 devboard for this. But software exploit is totally different. I used my HV knowledge and exploited HV quite differently, i didn't use a second VAS like Geohot did.

I did my exploit from exploited GameOS. I used a FAT PS3 but it doesn't matter anymore, you could use a Slim PS3 even. Once exploited, the HV remains exploited as long as PS3 is not powered off, that means you can reboot GameOS as much as you want, HV still remains exploited And you have full read/write access to all RAM and peripheral devices from GameOS except isolated SPUs That means full access to SYSCON, ENCDEC device (which is responsible e.g. for HDD encryption/decryption) and other very interesting stuff

That means, with an exploited GameOS every HV can be dumped and reversed. If GameOS >= 3.42 could be exploited then we could dump the new HV again and reverse SELF decryption again and decrypt new games

And i will dump HV 3.41 soon And look for pure software exploits in it.

I just patched Dispatcher Manager and enabled access to all HV services Dumped SYSCON EPROM

But with control over the HV, you pretty much have control over most of the system, so the possibilities are endless really.

couldn't have said it better myself...

now all we need is to wait for his documentation, and whatever comes out tomorrow from the conference, maybe for new year we'll have an alternative way to go into service mode without a jig, maybe a recovery mode ...who knows.

* You can now specify the dongle ID to be used (instead of always 0xAAAA) when emulating the Sony official jig stick (for downgrading):

When "Dongle ID:" is highlighted, you can enter the dongle ID using the [0]-[9] and [ALPHA]+[A] - [ALPHA]+[F] keys, or use the [LEFT] and [RIGHT] arrows to increase/decrease the value.
You can also enter "0000" or scroll all the way to the left to have the application randomly generate a dongle ID each time it is used.

* There are also a couple of bug fixes involving graphical glitches in the Options menu and enabling the hook even when "Install" wasn't selected.

v0.09.0001 changelog:
Allow changing the dongle ID from 0xAAAA to any other value, or "Random" (0x0000).

A couple of bug fixes:
Graphical glitch when displaying 8-character AppVar names in Options menu. Don't enable the hook when turning off from "Done" screen.

Well, your jumping the gun. A HV exploit would allow read/write to that area, which gives higher permissions - allowing for dumping and examining of the HV, as well as, if someone were to write it I suppose, NTFS support (longshot tho!)

Deciphering things lead to two places - repacking them and running as development, or looking for additional exploits.

But with control over the HV, you pretty much have control over most of the system, so the possibilities are endless really.

Can someone please explain to us out here who are not C++ inclined and explain what this means? Like, does this mean he can now reverse 3.55? Or unpack it and make a CFW? Or make it so we can play all games? Allow NTFS for externals? (That would rule ALL!)

I know this means he can decypher more of GameOS and what it runs, likewise that would mean removing signed protection ect. But, before I even think about that, I would like to know for sure what could come out of this. Obviously there could be hundreds of things that can come from this, but the outright obvious ones, what would they be?

good news! Thx to graf someone reale he ps3 dongle ID generator! All of the dongles on the market today (and PSGrade) use 0xAAAA as their ID. With this app you can generate a new ID, which would prevent Sony from revoking your ID.

p3kg – Xtse

Description
Generates a Dongle ID Key based on the Dongle ID provided.

Usage
./p3kg

Example
./p3kg 0xAABB

Note: must be 2 bytes (4 characters) and prefixed with 0x
I.e. 0x0AA will not work; 0x00AA will.

When I wrote this I hard-coded the revoke list on graf_chokolo’s wiki so credits to him and all of his hard work.
If you want source code, let me know – I’ll make a few changes – tidy it up and post it as well.